0

A server in a data center is getting a volumetric DDoS attack. Congestion starts to build up and the data center/ISP going to solve this by null-routing (RTBH routing) the server's IP address for several hours. However the attacks are much sorter, lasting for a couple of minutes.

A script running on the server, seeing the NIC maxed out turns off the interface (or deletes the IP from the interface), and is about to turn it back on in a couple of minutes just to see if the storm is over.

Would turning the NIC off drain the congestion so the ISP would not act and so the server gets through the pains by being unreachable only for the duration of the attack not hours?

I know the router connected directly to the server replies back with an ICMP 'Host Unreachable', but what happens after that, does that eventually trigger anything in the infrastructure between the server and it's attackers?

diviaki
  • 103
  • 3

1 Answers1

1

Short answer: not likely to help. Your ISP routes a range of IP addresses to you, not just a single IP. So the traffic will come to your data center regardless if the host is online or not. ICMP messages are intended for the sender, so there's no state held in the ISP (or other) network.

Some ISPs have more intelligent DDoS techniques than just RTBH.

This Question and Answers may help you.

Ron Trunk
  • 2,149
  • 1
  • 10
  • 19